Home / Insights / HIPAA Penalties Now Mandatory for Willful Neglect

Insight HIPAA Penalties Now Mandatory for Willful Neglect

As of February 18, 2011, the OCR is required to impose penalties ranging from $10,000 to more than $50,000 for HIPAA violations caused by a covered entity’s or business associate’s willful neglect. Last month, the OCR imposed its first penalty under the new standard: a $4.3 million dollar fine against a Maryland health center.

HIPAA Penalties. As discussed in our past Client Updates, the federal HITECH Act dramatically increased penalties for HIPAA violations. The following chart summarizes the structure under the new enforcement rules:

Conduct

Penalty per violation
Penalty per identical type of violation per calendar year
Covered entity did not know and, by exercising reasonable diligence, would not have known of the violation $100 to $50,000

No penalty if corrected within 30 days.

OCR may waive or reduce penalties

Up to $1,500,000
Violation due to reasonable cause and not willful neglect $1,000 to $50,000

No penalty if corrected within 30 days.

OCR may waive or reduce penalties

Up to $1,500,000
Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew, or by exercising reasonable diligence, would have known that the violation occurred. $10,000 to $50,000

Penalties mandatory effective 2/18/11

Up to $1,500,000
Violation due to willful neglect but the violation was not corrected within 30 days after the covered entity knew, or by exercising reasonable diligence, would have known that the violation occurred At least $50,000

Penalties mandatory effective 2/18/11

Up to $1,500,000

(45 CFR § 160.400 et seq.).

Bad News: Mandatory Penalties Imposed for Willful Neglect. As reflected in the chart, violations due to willful neglect now carry a mandatory penalty ranging from $10,000 to at least $50,000. “Willful neglect” means the “conscious, intentional failure or reckless indifference to the obligation to comply with [HIPAA]…” (45 CFR 164.401). On February 4, 2011, HHS fined Cignet Health Center $4.3 million for HIPAA violations. Interestingly, the penalty did not relate to any breach of privacy; instead, Cignet was fined $1.3 million for failing to timely respond to 41 patients’ requests to access their health information, and $3 million for refusing to cooperate with the OCR’s investigation. The penalties confirm that HHS is serious about enforcing all aspects of HIPAA, not just the privacy provisions. It also sends a clear warning to those who do not take OCR investigations seriously.

Good News: May Avoid Penalties if No Willful Neglect. The good news is that the mandatory penalties are reserved for only those violations that involve willful neglect; for other violations, covered entities and business associates may avoid penalties altogether if they correct the situation within 30 days. Even if they fail to correct the situation, the OCR may waive or reduce penalties if it determines that the penalties in a given case would be excessive. Covered entities and business associates should take appropriate action to ensure that they are not deemed to act with willful neglect. Among others, entities should:

  • Implement the written policies that are required by HIPAA as set forth in 45 CFR part 164, including those dealing with use and disclosure rules, electronic security, patient rights, breach notification, and administrative requirements.
  • Train employees and other workforce members concerning the policies, and document the training.
  • Immediately address and correct any potential HIPAA violation and document such actions, including the imposition of sanctions against those who violated HIPAA.
  • If required, notify patients and HHS of privacy breaches.
  • Cooperate with the OCR during any investigation.

Taking such actions should protect covered entities from a finding of “willful neglect” and the mandatory penalties that may otherwise follow.

If you have questions about these or other legal issues, please contact a member of our Health Law group call 208.344.6000.

Related Insights

Immigration Issues for Employers in 2025 and Beyond

Employers may be facing additional oversight from the new administration, even for those who do not employ foreign workers.

Read

Foundations of Special Education - Key Laws, Rights, and Responsibilities

While special education seems like a no-brainer today, the concept of educating students with disabilities is not that old.

Read

SECURE 2.0 Administrative Pandemonium - Are You Keeping Up?

Over the last six months or so there has been a flurry of activity relative to implementing “SECURE 2.0” provisions.

Read

A Quiet 2024 Will be Followed by a Busy 2025 for Tax Legislation

There were few significant developments in either federal or state tax law during 2024. But it was likely a calm before the storm; we can…

Read